When we run an LDAP server for some other organizations, what base
DN should we recommend that they choose for their LDAP tree?

The server host name will be under our domain, not theirs.  (And the
server cert cannot contain name under their domain, so it will only
confuse matters if they create a CNAME under their domain which refers
to the server.)

dc=<their domain>,dc=no still seems the normally best choice.  Doesn't
allow hostname/DN guessable from each other and won't work like intended
with DNS SRV records.  But it still avoids the need for administration
of names to avoid name conflicts with other organizations.

The one problem I see is if they intend to use "our" LDAP server for one
kind of clients (probably authentication) may set up some other public
LDAP server of their own.  They may then (or some time later) want
referrals between the servers.  A referral can change the DN of the
referred entry, but client support for such features vary.

Are there other problems?  Do anyone have experience with that?

And what's a good name if they choose _not_ to use 'dc' structure?
Could use o=<org>,c=NO, but I bet some clients won't like UTF-8 in
DNs.  Maybe the DN doesn't matter greatly in this case, and
o=<dc component>,dc=<our domain>,dc=no is just as good.

-- 
Regards,
Hallvard

---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

Reply via email to